CMMC just moved from policy to procurement. DoD finalized the Defense Federal Acquisition Regulation Supplement (DFARS) rule that allows contracting officers to include CMMC requirements in solicitations and awards. The rule is on public inspection now and publishes in the Federal Register on Sept 10, 2025. It takes effect 60 days later, which puts the start of enforcement in mid-November 2025. (Federal Register)
This is the on-switch. Title 32 (the program rule) has been settled since late 2024. Title 48/DFARS is what makes CMMC enforceable in contracts.
What changed today
DFARS is final. Once the rule is effective, contracting officers can require CMMC in solicitations and awards. The rule establishes a three-year phase-in: for the first three years, program offices decide when to include CMMC (COTS-only remains excluded). Beginning Day 1 of Year 4, use of the clause becomes the default when a contractor will process, store, or transmit FCI or CUI. (Inside Defense, DefenseScoop)
Awards at Levels 2-3 can proceed with “conditional” status for up to 180 days while valid POA&Ms close to Final. Offerors must provide CMMC UID(s) in SPRS for each in-scope contractor information system and keep them current; contracting officers are expected to validate status at award and again when exercising options. DoD also removed the proposed “lapses in security” notification to the CO. Incident reporting remains in DFARS 252.204-7012, and annual affirmations continue in SPRS.
What to do this week (primes)
Start with systems. List the information systems you’ll use to perform upcoming work and generate the CMMC UID(s) in SPRS now, so they’re ready for proposals on Day 1. If you handle CUI, lock your Level 2 picture: NIST 800-171 implementation, scoring, and evidence that can withstand either Self or C3PAO validation as solicitations ramp. The program rule’s POA&M limits and 180-day closeout window still apply.
Then tune your teaming language. Ask subs that touch FCI/CUI for their CMMC status and UID(s). Make SPRS affirmations part of supplier qualification instead of a scramble at proposal time.
What this means for subs and smalls
If CUI is in scope for you this year, start with reality: a clean SSP, scoped assets, and evidence you can maintain and affirm annually in SPRS. If you only touch FCI, keep a crisp Level 1 Self posture and procedures. Expect primes to ask for proof. Status screenshots and UID(s) will become normal parts of teaming and proposal packages. (Program rule background: Federal Register.)
Timeline at a glance
Years 0-3 (mid-Nov 2025 to late 2028): program offices decide when to include CMMC. Expect Level 1 Self and Level 2 Self to show up first, with targeted Level 2 C3PAO or Level 3 (DIBCAC) where it fits. COTS-only stays excluded. Starting in Year 4 (late 2028 and beyond), use of the clause becomes the default wherever you process, store, or transmit FCI/CUI. During the phase-in, COs can bilaterally add the clause to existing awards, and solicitations issued before the effective date can include CMMC if the award happens after the effective date.
Notable clarifications vs. the proposed DFARS
No “lapses in security” notifications to the CO; 252.204-7012 incident reporting stays as is, and annual affirmations stay in SPRS. POA&M and conditional status are harmonized to the program rule: Levels 2-3 may be awarded with conditional status for up to 180 days while eligible POA&Ms close to Final. Definitions are tightened around contractor information systems that handle FCI/CUI, and “CMMC status” terminology is consistent across parts and clause text.
Our take, and how we’re helping
Expect solicitations to start asking for CMMC this fall and to expand as the phase-in progresses. If you’re a small team, the right posture is simple: get to evidence-backed reality and keep it current.
Deep Fathom helps you scope and map in-scope systems to practices, produce evidence with clean lineage to each control, and track readiness for Self or C3PAO assessments using the same POA&M eligibility rules the program rule uses. When there are gaps, we help you close them inside the 180-day window: assign owners, capture artifacts, and move from Conditional to Final without churn. And we make it easier to flow requirements down to subs by capturing UID(s), affirmations, and status you can trust.
If it’s helpful, we’ll publish a one-page “DFARS Day-0 Readiness Checklist” you can circulate internally.
Primary sources
- Final DFARS CMMC rule (Title 48/DFARS): Public inspection today; Federal Register publication Sept 10, 2025; effective 60 days after publication; three-year phase-in; CMMC UID/SPRS use; conditional awards (up to 180 days); CO award/option validation; COTS exclusions.
- Final CMMC Program rule (Title 32): FR Oct 15, 2024; effective Dec 16, 2024 (levels, assessments, POA&M constraints, annual affirmations, phased rollout logic). (Federal Register)
- Coverage/confirmation: Inside Defense (today’s announcement); DefenseScoop (DFARS vs. Program rule context). (Inside Defense, DefenseScoop)